Couldn't you just use pass and have something like this in your bash script/env:
export SOME_SECRET="$(pass show some/secret)"
Couldn't you just use pass and have something like this in your bash script/env:
export SOME_SECRET="$(pass show some/secret)"
this in a credentials file to source before doing some operation? sure. I usually do: ` ( . ./credentials && ./the_thing ) ` so the secrets are only in the subshell and don't linger in my shell session forever.
but don't put that in <shell>rc , as it a) will be visible for all other (child) processes of your shell b) will spawn pinentry everytime the agent's cache ttl expires
That hides it in the source, but doesn't hide it in the execution environment that can access the ENV. Everything you run inside your shell could still read it. (but if you're running untrusted things...you've already lost)